The Bottom Line
- Recipient Identification: When responding to a GDPR access request, identifying the recipient organization by name (e.g., “the Tax Authority”) is sufficient. You are not required to specify internal departments or individual employees who received the data.
- Scope of Access vs. Lawfulness: An access request (Article 15 GDPR) obliges you to inform individuals what data you process and how. It does not require you to provide a full legal justification for the lawfulness of that processing within the response itself.
- Form of Disclosure: Providing a clear, structured overview of processed data, combined with redacted copies of underlying documents, can be a valid way to fulfill an access request, as long as it enables the individual to understand the processing and exercise their other GDPR rights.
The Details
This case centered on a GDPR access request filed by an individual against the Dutch National Coordinator for Counterterrorism and Security (NCTV). The individual, dissatisfied with the NCTV’s response, argued that it was too vague. The NCTV had provided a summary of the personal data it processed, the purposes, and a list of recipient organizations. The individual demanded more, including the specific reasons for the processing in his context and, crucially, the exact departments and officials within the recipient organizations who had accessed his data. He claimed this level of detail was necessary to exercise his rights with those other organizations.
The District Court of Midden-Nederland rejected the individual’s claims, providing significant clarity on the obligations of data controllers. The court’s central finding rested on its interpretation of “recipients” under Article 15 of the GDPR, referencing the key European Court of Justice ruling in Österreichische Post. The court clarified that there is a difference between naming a “category of recipients” (e.g., “advertisers” or “government bodies”), which is generally insufficient, and naming a “specific recipient” (e.g., “the National Police”). The NCTV met its obligation by naming the specific government organizations. Requiring disclosure of internal departments or staff members goes beyond the scope of the GDPR’s right of access.
The ruling reinforces a crucial boundary for businesses handling data access requests. The primary goal of an access request is to allow an individual to be aware of, and verify, the lawfulness of the processing of their personal data. However, the court confirmed this does not mean the controller must debate or legally defend the lawfulness of the processing within the access request procedure itself. By providing a clear and faithful overview of the data processed and the context, the NCTV had given the claimant the necessary tools to pursue his other rights, such as rectification or erasure, through the appropriate channels. The court also upheld the redactions in the provided documents, affirming that the right of access is not an absolute right to see unredacted internal files, especially when third-party data is involved.
Source
Rechtbank Midden-Nederland
